Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How to hack a web app? WebConfAsia 2018

Asim Hussain
June 08, 2018
Programming
0
80

How to hack a web app? WebConfAsia 2018

Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! In this episode of CSI Hong Kong, we’ll investigate a series of hacking stories and break them down step-by-step to see exactly how they did it.

By the end, you’ll walk away a little bit more scared and a lot more prepared with some great practices you can apply immediately to your own applications.

Asim Hussain

June 08, 2018
Tweet

More Decks by Asim Hussain

See All by Asim Hussain
JavaScript Saves The World - DotJS 2019
jawache
0
860
Saving the world, one line at a time [CodeLeaders Australia 2019]
jawache
0
62
YGLF_2019.pdf
jawache
1
120
AI + JavaScript Rocks @ GDGDevFest UA 2018
jawache
0
45
How to scale an SPA? @ AmsterdamJS 2018
jawache
0
20
How to hack an Angular app? - ngConf 2018
jawache
0
770
Getting started with node.js @ AngleBrackets 2018
jawache
1
170
How to hack an Angular app? @ ngVikings 2018
jawache
1
1k
How to hack a python app? @ PyCaribbean 2018
jawache
0
160

Other Decks in Programming

See All in Programming
PHPの次期バージョンはこの時期どうなっているのか - Internalsの開発体制について - PHPカンファレンス小田原
youkidearitai
PRO
1
190
Goのmultiple errorsについて (2024年4月版)
syumai
4
910
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.3k
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
960
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
210
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
110
Code Reviews
bkuhlmann
4
890
Prepare for Jakarta EE 11 - Performance and Developer Productivity
ivargrimstad
0
810
Random\Randomizer クラスで日常のあれこれを解決しよう! / Random\Randomizer class solves familiar trouble
cocoeyes02
0
250
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
コーンフレークから始める モデリング会話入門
ogurotakayuki
0
370
使ってみよう Azure AI Document Intelligence
kosmosebi
2
320

Featured

See All Featured
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Code Review Best Practice
trishagee
55
15k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
GraphQLとの向き合い方2022年版
quramy
32
12k
Design by the Numbers
sachag
274
18k
Music & Morning Musume
bryan
41
5.6k
Debugging Ruby Performance
tmm1
70
11k
A Tale of Four Properties
chriscoyier
151
22k
The Language of Interfaces
destraynor
151
23k
Designing with Data
zakiwarfel
96
4.8k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k

Transcript

  1. None

  2. How to hack a web app? @jawache WebConfAsia 2018

  3. None

  4. It can happen to you @jawache

  5. Asim Hussain @jawache codecraft.tv microsoft.com @jawache

  6. None

  7. @jawache

  8. https://aka.ms/jawache-cda @jawache

  9. https://aka.ms/jawache-cda @jawache

  10. @jawache

  11. @jawache #2

  12. Vulnerability vs. Exploit

  13. @jawache Photo by Kristina Flour on Unsplash 0 Day Exploit

  14. @jawache Photo by Veri Ivanova on Unsplash 0 Day Exploit

  15. None

  16. @jawache

  17. @jawache

  18. @jawache

  19. @jawache

  20. @jawache

  21. "12 of top 50 data breaches were through known vulnerabilities"

    - snyk.io @jawache https://snyk.io/blog/owasp-top-10-breaches/

  22. "77% of 433,000 Sites Use Vulnerable JavaScript Libraries" - snyk.io

    https://snyk.io/blog/77-percent-of-sites-still-vulnerable/ @jawache

  23. @jawache

  24. @jawache nsp

  25. @jawache aka.ms/jawache-asc

  26. @jawache aka.ms/jawache-asc

  27. @jawache

  28. @jawache Photo by energepic.com from Pexels Summary

  29. @jawache #2

  30. 'SELECT * FROM COMPANIES WHERE name =' + name; @jawache

  31. SELECT * FROM COMPANIES WHERE name =; DROP TABLE "COMPANIES";

    --LTD @jawache

  32. @jawache

  33. @jawache

  34. @jawache Photo by Braydon Anderson on Unsplash Summary

  35. @jawache

  36. @jawache

  37. #3 @orange_8361

  38. None

  39. git push http://example.com @jawache

  40. git push http://localhost @jawache

  41. http://0 @jawache git push

  42. @jawache git push http://0:9200/_shutdown

  43. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto,

    server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache

  44. http://0:8000/composer/send_email? to=orange@nogg& url=http://127.0.0.1:12345/foo @jawache

  45. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto,

    server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache

  46. \r\n @jawache

  47. %0D%0A @jawache

  48. http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo: @jawache

  49. GET /%0D%0Ahello%0D%0AFoo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache

  50. GET /%0D%0Ahello%0D%0AFoo:\r\n HTTP/1.1\r\n Host: 127.0.0.1:12345\r\n Accept-Encoding: identity\r\n \r\n \r\n @jawache

  51. @jawache GET /\r\n hello\r\n Foo: HTTP/1.1\r\n Host: 127.0.0.1:12345\r\n Accept-Encoding: identity\r\n

    \r\n \r\n

  52. ...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A @jawache

  53. GET / set key 0 900 4 data HTTP/1.1 Host:

    127.0.0.1:11211 Accept-Encoding: identity @jawache

  54. GET / set key 0 900 4 data HTTP/1.1 Host:

    127.0.0.1:11211 Accept-Encoding: identity @jawache

  55. code code @jawache

  56. code code @jawache

  57. DeprecatedInstanceVariableProxy @jawache

  58. @jawache

  59. @jawache Photo by Kelly Sikkema on Unsplash Summary

  60. @jawache

  61. #4 @jawache

  62. @jawache

  63. @jawache

  64. None

  65. @jawache

  66. cross-env vs. crossenv @jawache

  67. @jawache Photo by Jairo Alzate on Unsplash Summary

  68. @scope/package-name @jawache

  69. package-name packagename package.name @jawache

  70. Update Don't assume Small vulnerability Don't trust anyone Everything Sanitise

    Fix @jawache

  71. Asim Hussain @jawache codecraft.tv microsoft.com

  72. aka.ms/jawache-asc @jawache more info...

  73. How I Chained 4 vulnerabilities on GitHub Enterprise - Orange

    Tsai http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html CRLF injection vulnerability in the HTTPConnection https://www.cvedetails.com/cve/CVE-2016-5699/ Exploit DB https://www.exploit-db.com/ Metasploit https://www.metasploit.com/ The Equifax hack and how to protect your family — all explained in 5 minutes https://medium.freecodecamp.org/the-equifax-hack-and-how-to-protect-your-family-all-explained-in-5-minutes-a2b5187cb6c0 Oscar Bolmsten on Twitter https://twitter.com/o_cee/status/892306836199800836 Malicious packages in npm. Here’s what to do - Ivan Akulov https://iamakulov.com/notes/npm-malicious-packages/